You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(93) |
Nov
(89) |
Dec
(68) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(229) |
Feb
(204) |
Mar
(314) |
Apr
(380) |
May
(367) |
Jun
(244) |
Jul
(300) |
Aug
(505) |
Sep
(359) |
Oct
(531) |
Nov
(427) |
Dec
(390) |
2003 |
Jan
(585) |
Feb
(623) |
Mar
(412) |
Apr
(315) |
May
(480) |
Jun
(394) |
Jul
(544) |
Aug
(768) |
Sep
(602) |
Oct
(680) |
Nov
(499) |
Dec
(398) |
2004 |
Jan
(407) |
Feb
(400) |
Mar
(410) |
Apr
(576) |
May
(619) |
Jun
(424) |
Jul
(513) |
Aug
(404) |
Sep
(433) |
Oct
(455) |
Nov
(550) |
Dec
(659) |
2005 |
Jan
(450) |
Feb
(472) |
Mar
(443) |
Apr
(465) |
May
(434) |
Jun
(273) |
Jul
(518) |
Aug
(484) |
Sep
(380) |
Oct
(400) |
Nov
(351) |
Dec
(265) |
2006 |
Jan
(335) |
Feb
(462) |
Mar
(498) |
Apr
(398) |
May
(280) |
Jun
(273) |
Jul
(229) |
Aug
(377) |
Sep
(201) |
Oct
(279) |
Nov
(247) |
Dec
(229) |
2007 |
Jan
(301) |
Feb
(190) |
Mar
(281) |
Apr
(444) |
May
(394) |
Jun
(247) |
Jul
(259) |
Aug
(391) |
Sep
(219) |
Oct
(306) |
Nov
(307) |
Dec
(257) |
2008 |
Jan
(256) |
Feb
(248) |
Mar
(330) |
Apr
(219) |
May
(194) |
Jun
(179) |
Jul
(183) |
Aug
(116) |
Sep
(260) |
Oct
(204) |
Nov
(274) |
Dec
(228) |
2009 |
Jan
(251) |
Feb
(160) |
Mar
(178) |
Apr
(196) |
May
(189) |
Jun
(239) |
Jul
(92) |
Aug
(155) |
Sep
(147) |
Oct
(169) |
Nov
(159) |
Dec
(205) |
2010 |
Jan
(63) |
Feb
(230) |
Mar
(94) |
Apr
(103) |
May
(113) |
Jun
(149) |
Jul
(158) |
Aug
(203) |
Sep
(255) |
Oct
(138) |
Nov
(122) |
Dec
(108) |
2011 |
Jan
(93) |
Feb
(100) |
Mar
(153) |
Apr
(175) |
May
(349) |
Jun
(210) |
Jul
(176) |
Aug
(179) |
Sep
(148) |
Oct
(151) |
Nov
(102) |
Dec
(83) |
2012 |
Jan
(179) |
Feb
(125) |
Mar
(211) |
Apr
(164) |
May
(195) |
Jun
(160) |
Jul
(137) |
Aug
(159) |
Sep
(214) |
Oct
(189) |
Nov
(71) |
Dec
(90) |
2013 |
Jan
(161) |
Feb
(99) |
Mar
(190) |
Apr
(133) |
May
(119) |
Jun
(97) |
Jul
(116) |
Aug
(109) |
Sep
(213) |
Oct
(175) |
Nov
(119) |
Dec
(90) |
2014 |
Jan
(104) |
Feb
(105) |
Mar
(125) |
Apr
(119) |
May
(141) |
Jun
(82) |
Jul
(193) |
Aug
(164) |
Sep
(160) |
Oct
(162) |
Nov
(44) |
Dec
(43) |
2015 |
Jan
(92) |
Feb
(67) |
Mar
(117) |
Apr
(67) |
May
(121) |
Jun
(39) |
Jul
(31) |
Aug
(87) |
Sep
(143) |
Oct
(130) |
Nov
(116) |
Dec
(67) |
2016 |
Jan
(66) |
Feb
(78) |
Mar
(127) |
Apr
(148) |
May
(56) |
Jun
(67) |
Jul
(30) |
Aug
(48) |
Sep
(87) |
Oct
(113) |
Nov
(64) |
Dec
(115) |
2017 |
Jan
(95) |
Feb
(73) |
Mar
(166) |
Apr
(27) |
May
(75) |
Jun
(94) |
Jul
(144) |
Aug
(94) |
Sep
(70) |
Oct
(98) |
Nov
(69) |
Dec
(176) |
2018 |
Jan
(140) |
Feb
(112) |
Mar
(68) |
Apr
(68) |
May
(97) |
Jun
(59) |
Jul
(75) |
Aug
(44) |
Sep
(44) |
Oct
(75) |
Nov
(64) |
Dec
(54) |
2019 |
Jan
(107) |
Feb
(100) |
Mar
(30) |
Apr
(31) |
May
(40) |
Jun
(14) |
Jul
(40) |
Aug
(37) |
Sep
(29) |
Oct
(78) |
Nov
(41) |
Dec
(42) |
2020 |
Jan
(43) |
Feb
(91) |
Mar
(86) |
Apr
(38) |
May
(70) |
Jun
(52) |
Jul
(48) |
Aug
(27) |
Sep
(48) |
Oct
(63) |
Nov
(61) |
Dec
(34) |
2021 |
Jan
(26) |
Feb
(4) |
Mar
(1) |
Apr
(5) |
May
(26) |
Jun
(13) |
Jul
(23) |
Aug
(14) |
Sep
(35) |
Oct
(13) |
Nov
(2) |
Dec
(33) |
2022 |
Jan
(32) |
Feb
(28) |
Mar
(29) |
Apr
(23) |
May
(15) |
Jun
(7) |
Jul
(6) |
Aug
(10) |
Sep
(3) |
Oct
|
Nov
(7) |
Dec
(3) |
2023 |
Jan
(7) |
Feb
(7) |
Mar
(6) |
Apr
(23) |
May
(1) |
Jun
(7) |
Jul
(4) |
Aug
(7) |
Sep
|
Oct
(27) |
Nov
(4) |
Dec
|
2024 |
Jan
(5) |
Feb
(28) |
Mar
(11) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Andreas B. <bi...@rz...> - 2003-01-06 22:17:42
|
(a)dsl is a very broad spectrum of standards etc.. u have to ask your dsl/telco provider what standard they use/sell you and then buy your products accordingly.. here in germany there is AVM (avm.de), maybe u know them, they make the FRITZ type of cards, mainly for ISDN so far, but they also feature a adsl/isdn combined card for pci for about a year now, and they also have linux drivers... then make yourself familiar with all those fancy (a)dsl standards as i said, get the exact tech details of your dsl/telco provider and google some more http://www.themad-house.co.uk/Conexant/conexant-specification.html and for linux they link to: http://www.digitaltrickery.com/conexant-pci-notes.html http://www.speedtouchdsl.com/prodpc.htm linux howto (altho dutch/belgium) for speedtouch: http://bartendavid.linuxbelgium.net/howto_hardware_speedtouch.html http://groups.google.com/groups?selm=87474af6.0210241412.171da6b8%40posting. google.com&oe=UTF-8&output=gplain http://www.devolo.de/produkte/adsl/mladslpci/index.php (this is the old ELSA company, they used to make gfx cards, telco equipment and so forth, they went bancrupt but a subset of the old staff continued especially the telco stuff, so they have this adsl modem now, but then again, maybe this is only for german market, and it could be an AVM oem product, who knows, you should always ask for mor details if it fits your UK needs...) http://www.lioncom.net/itex.htm http://www.msdist.co.uk/documents/Pulsarspecs.pdf http://www.avm.de/en/products/FRITZdsl/FRITZ_Card_DSL/FRITZCard_DSL/index.ht ml http://www.digitaltrickery.com/conexant-pci-notes.html http://www.easytel.fi/pdf/300C.pdf http://www.alloy.com.au/products/ALH110.htm http://www.eicon.com/support/helpweb/adsl_isdn/install_pci.asp how about this: http://www.amazon.co.uk/exec/obidos/ASIN/B0000687BD/qid%3D1041891147/026-580 7252-9207643 amazon at your place :) check out the d-link UK site or somethin... http://www.dlink.co.uk/long_desc.asp?id=254 (this product is actually eicon for the german market, maybe u simply ask them and ask for some adsl pci products for the UK market.. i am sure big companies like eicon and avm can be of better help than searching the web for info....) or ask your UK telco/dsl provider for recommended products or some dsl/telco forums in the UK? we have some end-user forums and chats for the german market, and its pretty informative to check for your daily dsl/telco troubles and exchange experience there... try to find out who are the real manufacturers of these products, and who sells them for their local/OEM market... or read some adsl howto/faqs for linux and so forth... maybe some of the UK dsl providers sell some of these AVM/other dsl cards as OEM ware, rebranded as their own... a big german telco/dsl provider does that here in germany... then there is also: www.eicon.com , they also sell a rebranded pci adsl card here in germany, its similar to AVMs card.. but i dont seem to be able to find that adsl pci card on their website, but then again you probably check their UK subsite for best results of products for your UK telco/dsl standards and so forth... generally speaking, i would prefer a standard eth/feth/ge nic and an external adsl modem, with which u communicate thru pppoe or the like... thats more common if you can do that at your place... but i guess, there are several manufacturers of pci adsl cards by now, who also feature linux support and so on... the market looks better as when i was thinking about either going for AVMs pci adsl solution or for an external pppoe adsl modem back then. i have chosen the external adsl solution, because pppoe and ethernet are just two good old standars widely adopted by now, and the least trouble... good luck and cheers, andy ----- Original Message ----- From: "Dirk Koopman" <dj...@to...> To: <sho...@sh...> Sent: Monday, January 06, 2003 4:50 PM Subject: [Shorewall-users] ADSL PCI cards > Does anyone have any information or recommendations for ADSL PCI Cards > for Linux boxes? E.g. which ones are supported? How much are they? etc. > Dirk > -- > Please Note: Some Quantum Physics Theories Suggest That When the > Consumer Is Not Directly Observing This Product, It May Cease to > Exist or Will Exist Only in a Vague and Undetermined State. |
From: Pascal D. <lis...@ne...> - 2003-01-06 21:51:05
|
Try Sangoma (www.sangoma.com). They have open source drivers as well. HTH Pascal On Mon, 2003-01-06 at 07:50, Dirk Koopman wrote: > Does anyone have any information or recommendations for ADSL PCI Cards > for Linux boxes? E.g. which ones are supported? How much are they? etc. > > Dirk -- Pascal DeMilly <lis...@ne...> |
From: Tom E. <te...@sh...> - 2003-01-06 21:09:56
|
Folks, You can't post to this list by sending mail to 'sho...@sh...' even though that's the envelope sender address in posts from the list. Mailman 2.1 expects all traffic to that address to be DSNs ('bounce'/'delay' nodifications from MTAs) and instead of forwarding your post to the list, it spams me (the list administrator) with 'Uncaught bounce notification' messages. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 19:26:03
|
--On Monday, January 06, 2003 03:50:31 PM +0000 Dirk Koopman <dj...@to...> wrote: > Does anyone have any information or recommendations for ADSL PCI Cards > for Linux boxes? E.g. which ones are supported? How much are they? etc. > I'm afraid that I can't help you Dirk. I have an external DSL 'modem'. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Dirk K. <dj...@to...> - 2003-01-06 15:51:15
|
Does anyone have any information or recommendations for ADSL PCI Cards for Linux boxes? E.g. which ones are supported? How much are they? etc. Dirk -- Please Note: Some Quantum Physics Theories Suggest That When the Consumer Is Not Directly Observing This Product, It May Cease to Exist or Will Exist Only in a Vague and Undetermined State. |
From: Tom E. <te...@sh...> - 2003-01-06 14:34:43
|
--On Tuesday, January 07, 2003 12:31:06 AM +1000 Mark Cheney <ch...@po...> wrote: > Thank you Vincent and Tom, using the method that Tom recommends I so far > am having no problems with FTP. I'll keep my fingers crossed. > FTP isn't the only outgoing connection that will eventually give you problems. It was just the one that came to mind as I was writing my response. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Mark C. <ch...@po...> - 2003-01-06 14:31:35
|
Thank you Vincent and Tom, using the method that Tom recommends I so far= am=20 having no problems with FTP. I'll keep my fingers crossed. Thanks again for your help. Mark Cheney. On Mon, 6 Jan 2003 11:44 pm, Tom Eastep wrote: > >> The file /etc/shorewall/common.def advises me not to edit the file b= ut > >> rather to create a new one. > >> > >> Can anyone give me an idea on how to do this so that the above ports > >> deny request attempts. > > > > You mean "drop" ? Depending of your policy, I think an empty file wil= l > > just do the trick. > > A better approach is to: > Make a note to yourself to not come whining to the list when you can't > connect to many FTP sites. > > -Tom |
From: Tom E. <te...@sh...> - 2003-01-06 13:52:36
|
--On Monday, January 06, 2003 11:14:34 AM +0100 ag...@gm... wrote: > Hi all > > i am using shorewall firewall now, quite for a long time. > everything works fine and i am very satisfied. > but i have noticed one thing: > when i try to use cuseeme or msnetmeeting i only can send video and audio > signals > but i can not receive any signals ... > surely i have to open some ports or load a module. > can anybody tell me what to do exactly? > I can't -- the Netmeeting part is a FAQ (http://shorewall.sf.net/FAQ.htm) but I've never heard of anyone that was completely satisified with the module mentioned there (and you have to patch your kernel). I haven't heard of anyone using cuseeme for a long time and have no experience with it under iptables. Perhaps someone on the list has used it... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 13:44:55
|
--On Monday, January 06, 2003 01:01:07 PM +0100 Vincent Bernat <be...@fr...> wrote: > >> The file /etc/shorewall/common.def advises me not to edit the file but >> rather to create a new one. > >> Can anyone give me an idea on how to do this so that the above ports >> deny request attempts. > > You mean "drop" ? Depending of your policy, I think an empty file will > just do the trick. A better approach is to: a) create the new /etc/shorewall/common file. b) copy the relevant rules from common.def to common c) change the target in the rules from 'reject' to DROP d) make the last line in the file ". /etc/shorewall/common.def" Make a note to yourself to not come whining to the list when you can't connect to many FTP sites. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Vincent B. <be...@fr...> - 2003-01-06 12:01:16
|
OoO En cette fin de matin=E9e radieuse du lundi 06 janvier 2003, vers 11:08, Mark Cheney <ch...@po...> disait: > When reading the faq on the Shorewall site I saw that shorewall rejects= rather=20 > than denys connection requests on 'TCP ports 113, 135, 137 and 139 > as well as UDP ports 137-139'. > The file /etc/shorewall/common.def advises me not to edit the file but = rather=20 > to create a new one. > Can anyone give me an idea on how to do this so that the above ports de= ny=20 > request attempts. You mean "drop" ? Depending of your policy, I think an empty file will just do the trick. --=20 BOFH excuse #52: Smell from unhygenic janitorial staff wrecked the tape heads |
From: <ag...@gm...> - 2003-01-06 10:15:15
|
Hi all i am using shorewall firewall now, quite for a long time. everything works fine and i am very satisfied. but i have noticed one thing: when i try to use cuseeme or msnetmeeting i only can send video and audio signals but i can not receive any signals ... surely i have to open some ports or load a module. can anybody tell me what to do exactly? i am using shorewall firewall within mandrake MNF 8.2 regards achim |
From: Mark C. <ch...@po...> - 2003-01-06 10:08:19
|
Hi all, I have shorewall up and running on my system. (GNU-Linux Mandrake 9) When I tested my firewall at grc.com, Shields-Up informs me that ports 11= 3 and=20 135 are closed and not 'stealthed' When reading the faq on the Shorewall site I saw that shorewall rejects r= ather=20 than denys connection requests on 'TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139'. The file /etc/shorewall/common.def advises me not to edit the file but ra= ther=20 to create a new one. Can anyone give me an idea on how to do this so that the above ports deny= =20 request attempts. I guess this must be a fairly common question on the list, but a search=20 yielded nothing at the mailing list archive. Thanks for any help. Mark Cheney. |
From: Tom E. <te...@sh...> - 2003-01-06 04:03:54
|
--On Sunday, January 05, 2003 7:32 PM -0800 Tom Eastep <te...@sh...> wrote: > > > --On Sunday, January 05, 2003 4:10 PM +0000 Simon Chalk > <zen...@ze...> wrote: >> But I have also read that this could cause >> problems for VPN configurations. > > Can you give us just one clue about what you are talking about? I've read > that the earth is flat too but I put very little store in the notion... Are you talking about the problem with FreeS/WAN? AFAIK, the workaround that I recommend works fine to avoid that problem. Does anyone have any evidence to the contrary? BTW -- that problem is just one of the weaknesses in the FreeS/WAN implementation. The IPSEC facility included in the 2.5 Linux Kernel doesn't use the FreeS/WAN base. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 03:33:31
|
--On Sunday, January 05, 2003 4:10 PM +0000 Simon Chalk <zen...@ze...> wrote: > Hi All, > >> From the documentation I have read on Shorewall, the preferred approach > seems to be, to use Proxy ARP instead of Static NAT for hosting web > servers in the DMZ Zone. But I have also read that this could cause > problems for VPN configurations. Can you give us just one clue about what you are talking about? I've read that the earth is flat too but I put very little store in the notion... > I essentially have multiple public IP's, which I want to map to private > addresses in the DMZ. I also intend to setup a gateway between 2 networks > using the same Firewall. > > So am I correct in saying that I should really be using Static NAT? But > since Proxy ARP is the preferred approach, I wondered whether there are > any issues with SNAT that I should be aware about? > I stand my my advice in the setup guide (http://shorewall.sf.net/shorewall_setup_guide.htm) unless you can convince me otherwise. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 03:30:08
|
--On Sunday, January 05, 2003 2:28 PM +0100 Vincent Bernat <be...@fr...> wrote: > Hello ! > > I have began to use Shorewall and I think there is a missing > feature. Suppose that I have a given rule and that I want to add the > condition that this rule matches only if the ToS bit x is set. There > is no easy way to do this. > > Would it be possible to add a field "misc" which will allows the user > to add specific iptables switches ? This misc field which just be > appended to the resulting iptables rules. I think this sort of thing should be handled in an extension script. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 00:40:35
|
--On Monday, January 06, 2003 01:28:31 AM +0100 Bertrand Renuart <ber...@it...> wrote: > > Unfortunately, when the ADSL is disconnected, the ppp0 interface looses > its shapping rules (am I wrong there ?) > To solve the problem, I made a link to the tcstart script from > /etc/ppp/ip-up.d... > > Am I wrong here? No, that's fine. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 00:38:21
|
--On Sunday, January 05, 2003 04:13:28 PM -0800 Tom Eastep <te...@sh...> wrote: > > Since you apparently don't read the documentation, I will quote it for > you Peter, Please accept my apology for this outburst -- I probably shouldn't answer questions on Sunday evening given that I spend my weekends either with my wife's mother who is dying of cancer or with my own mother who has Alzheimer's disease. Needless to say, I'm never in a good mood on Sunday evenings but I shouldn't take it out on folks asking questions... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Bertrand R. <ber...@it...> - 2003-01-06 00:28:52
|
Hello, My system is connected to the Internet through an ADSL line (and is of course protected by shorewall ;-) Our ADSL is disconnected every 24 hours (by our provider, to make sure we don't get a nearly static IP). So far so good, the pppd daemon reconnects the line immediately. We are also using some TC rules to shape the traffic (on ppp0). As suggested by TOM in his documentation, there rules are copied in the /etc/shorewall/tcstart file. They are therefore invoked each time shorewall is started. Unfortunately, when the ADSL is disconnected, the ppp0 interface looses its shapping rules (am I wrong there ?) To solve the problem, I made a link to the tcstart script from /etc/ppp/ip-up.d... Am I wrong here? Thanks for your feedback. -bertrand |
From: Tom E. <te...@sh...> - 2003-01-06 00:25:17
|
--On Sunday, January 05, 2003 04:21:10 PM -0800 Tom Eastep <te...@sh...> wrote: > >> >> I noticed a debug option to the shorewall command, but I'm trying to >> remember what that does. There doesn't seem to be a 'man' or 'info' page, >> and the documentation index and reference manual don't seem to have >> command line details (that I can find right now). I've been staring at >> all this firewall stuff for far to long so I'm probably just missing it. > The 'debug' command is for getting a trace in the event that Shorewall won't start. See http://shorewall.sf.net/troubleshoot.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 00:21:14
|
--On Saturday, January 04, 2003 10:59:19 AM -0800 "Christopher A. Nielsen" <ch...@zo...> wrote: > > Thanks, Tom for your reply. > > I think I err'd in paying attention to (and posting) that log line. It's > likely that that was an unrelated INCOMING DNS query to my public name > server that just happened at the same time, so sorry about confusing the > issue with that. > > The ones I should have posted look like this: > udp 17 29 src=192.168.0.111 dst=192.33.14.30 sport=1286 dport=53 > [UNREPLIED] src=192.33.14.30 dst=216.254.34.6 sport=53 dport=1286 use=2 > > It appears the reply isn't getting back through the firewall? Entries like that in the connection tracking table usually mean that the replies _aren't getting back to_ the firewall. Have you looked at this with ethereal or tcpdump? > But if > 'three-interfaces' should work without modification, I'm confused, and > thinking I'm barking up the wrong tree by assuming I need to add rules for > those unreplied packets. _If you have installed the three-interfrace sample properly_, then you don't have to add anything for DNS to work from the local zone, be it a caching name server or not. > > I figured that being able to ssh into a remote host would > prove the problem isn't reversed NICs or something really wacky like that. > I have separate hubs for 'loc' and 'dmz', and eth0 is to a dsl box and I > am using 'host' from a 'loc' machine that is also the caching name server. > > It seems that something may be dropping the packets, but I haven't seen > any easy way to "log everything dropped or rejected" the > troubleshooting/support type pages. Sigh -- Shorewall does that by default except for the silent drop/rejects that you see in the 'common' chain (shorewall show common). > > I noticed a debug option to the shorewall command, but I'm trying to > remember what that does. There doesn't seem to be a 'man' or 'info' page, > and the documentation index and reference manual don't seem to have > command line details (that I can find right now). I've been staring at all > this firewall stuff for far to long so I'm probably just missing it. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-01-06 00:13:33
|
--On Sunday, January 05, 2003 01:40:12 AM +0100 Peter Lindeman <pe...@li...> wrote: > Hello, > > Today I restarted the firewall machine during an outage of the ADSL line > overhere. At the boot Shorewall did not start but stopped during start. > The problem was that the ADSL line was down so no DNS server available to > resolve hostnames. I have a hostname in "blacklist" file and therefore > shorewall did not start. Is this problem solvable without putting an IP > address in the blacklist file ? > Since you apparently don't read the documentation, I will quote it for you from http://shorewall.sourceforge.net/configuration_file_basics.htm#dnsnames: --------------------------------------------------------------------------- -- WARNING: I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won't start as a result of DNS problems then don't say that you were not forewarned. -Tom Beginning with Shorwall 1.3.9, Host addresses in Shorewall configuration files may be specified as either IP addresses or DNS Names. DNS names in iptables rules aren't nearly as useful as they first appear. When a DNS name appears in a rule, the iptables utility resolves the name to one or more IP addresses and inserts those addresses into the rule. So changes in the DNS->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall's ruleset. If your firewall rules include DNS names then: * If your /etc/resolv.conf is wrong then your firewall won't start. * If your /etc/nsswitch.conf is wrong then your firewall won't start. * If your Name Server(s) is(are) down then your firewall won't start. * If your startup scripts try to start your firewall before starting your DNS server then your firewall won't start. * Factors totally outside your control (your ISP's router is down for example), can prevent your firewall from starting. * You must bring up your network interfaces prior to starting your firewall. --------------------------------------------------------------------------- -- -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Simon C. <zen...@ze...> - 2003-01-05 16:10:49
|
Hi All, >From the documentation I have read on Shorewall, the preferred approach seems to be, to use Proxy ARP instead of Static NAT for hosting web servers in the DMZ Zone. But I have also read that this could cause problems for VPN configurations. I essentially have multiple public IP's, which I want to map to private addresses in the DMZ. I also intend to setup a gateway between 2 networks using the same Firewall. So am I correct in saying that I should really be using Static NAT? But since Proxy ARP is the preferred approach, I wondered whether there are any issues with SNAT that I should be aware about? Any help would be much appreciated. Regards, Simon Chalk. |
From: Vincent B. <be...@fr...> - 2003-01-05 13:28:48
|
Hello ! I have began to use Shorewall and I think there is a missing feature. Suppose that I have a given rule and that I want to add the condition that this rule matches only if the ToS bit x is set. There is no easy way to do this. Would it be possible to add a field "misc" which will allows the user to add specific iptables switches ? This misc field which just be appended to the resulting iptables rules. -- BOFH excuse #107: The keyboard isn't plugged in |
From: Stephen G. <sg...@p0...> - 2003-01-05 11:38:36
|
At 10:28 PM 1/4/03, you wrote: Thanks for your reply. I think that my problems are more related to my limited test environment rather than shorewall. I will test it further when I have the real internet connected rather than the PC that is simulating it. >We need more infos. All policies and rules would be a good start. > >But as the all2all policy is blocking, I assume you don't use your >caching DNS server. (Just an idea.) What is the DNS you was querying >from the computer in the local net? > >DNS request to your fw (caching DNS) should work fine and the fw queries >the DNS of your provider. Querying root servers all the time isn't such >a good idea... > >btw: Did you restart shorewall? Caching DNS running? > >.karsten > > >-- >Hi, I'm a signature virus. Copy me into your ~/.signature to help me spread! |
From: Peter L. <pe...@li...> - 2003-01-05 00:40:09
|
Hello, Today I restarted the firewall machine during an outage of the ADSL line overhere. At the boot Shorewall did not start but stopped during start. The problem was that the ADSL line was down so no DNS server available to resolve hostnames. I have a hostname in "blacklist" file and therefore shorewall did not start. Is this problem solvable without putting an IP address in the blacklist file ? -- Groeten, Peter -- Bedenk steeds dat je uniek bent, zoals iedereen. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org:0 days, 0 hours and 28 minutes, 0 users logged in. |